Snort mailing list archives

Re: 17494 Falsing on non IE6 systems

From: JJC <cummingsj () gmail com>
Date: Wed, 27 Oct 2010 11:52:07 -0600

This doesn't solve your problem, but you could create a regex that
disables the rev:1 of that rule and enables the rev:3+; of that
rule... that way you don't have to remember to do it, it's automagic
when you update to the ruleset that has the revved rule...

JJC

On Wed, Oct 27, 2010 at 9:17 AM, Weir, Jason <jason.weir () nhrs org> wrote:

I agree with James - I had to put a "Re-Enable after 12/1/10" note in
the oink config file..

What a PITA..

-J

-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Wednesday, October 27, 2010 10:16 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

Ya count me in here...rev 1 is firing on just about
everything....YAY for us Registered users :)  While I
understand the whole pay for rules thing, holding out on
releasing a fixed rule for 30 days, such as this one, is
kinda crappy.  Not releasing improved/new rules yes, but ones
that are broken like this...ya not so much.  Yet another rule
disabled.

James

-----Original Message-----
From: Weir, Jason [mailto:jason.weir () nhrs org]
Sent: Wednesday, October 27, 2010 7:08 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

Thanks Joel,

Any chance the revision # could be included on the SID page

http://www.snort.org/search/sid/1-17494

That way I could check before posting to the list..

-J

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Wednesday, October 27, 2010 9:02 AM
To: L0rd Ch0de1m0rt
Cc: Weir, Jason; snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

Current revision on this rule is rev:3.  It looks nothing like the
below.

Thanks for the feedback Jason.

Joel

On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:

Yea, this is a terribly written rule, especially with Web 2.0
technologies and advertising companies preferring to create

ginormous

URIs.  It's not browser specific ... all modern browsers support
URIs>206 bytes and the RFC doesn't specify a limit....

Are you running the latest version of this rule?  I could

be thinking

of a different rule but I thought that when this one came out it
everyone started complaining about it and they disabled it.  I
recommend all who are running it to disable it.

-L0rd C.

On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir () nhrs org>
wrote:

Tons of false positives on machines running IE7 & 8...

Maybe do a content match on the IE6 user agent - something like
content:"compatible; MSIE 6."

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

(msg:"WEB-CLIENT

Microsoft Internet Explorer Long URL Buffer Overflow attempt";
flow:established,to_server; urilen:>260; content:"GET";

http_method;

content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
reference:bugtraq,19667; reference:cve,2006-3869;
classtype:attempted-user; sid:17494; rev:1;)

Jason



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
  - Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Lay, James (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
    - Re: 17494 Falsing on non IE6 systems JJC (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
  - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- <Possible follow-ups>
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Nov 01)